In a significant joint operation, Cloudflare and Microsoft have successfully dismantled a major global phishing network known as “RaccoonO365.” This sophisticated operation, offered as a “Phishing-as-a-Service” for a monthly fee of $355, was responsible for stealing login credentials for Microsoft 365 accounts on a massive scale.
The criminal enterprise utilized phishing kits to compromise accounts, resulting in the theft of over 5,000 Microsoft 365 passwords across 94 countries. The stolen data, which included credentials, cookies, and sensitive information from OneDrive, SharePoint, and email accounts, was then made available to subscribers for illicit purposes such as financial fraud, extortion, and other large-scale attacks.
To combat this threat, Cloudflare and Microsoft initiated a coordinated takedown in September 2025. This decisive action involved blocking hundreds of domains and worker accounts associated with the RaccoonO365 actors. Simultaneously, Microsoft’s Digital Crimes Unit (DCU), operating under a court order from the Southern District of New York, seized the network’s underlying infrastructure. This seizure, which targeted a network internally designated as “Storm-2246,” resulted in the shutdown of 338 websites used by the criminal organization.
Both companies are confident that these combined efforts have effectively neutralized the technical infrastructure of the operators, severing their access to victim data and significantly crippling their malicious activities.
Ref: Cloudflare participates in global operation to disrupt RaccoonO365